Did you ever get this to work?  I have not.

On Tuesday, January 7, 2014 at 6:16:37 PM UTC-5, Adam Morris wrote:
>
> The solution I went with is not perfect, but pretty good...  My 
> localaccounts task has two main user tasks in it (they take lists of users 
> and are identical apart from one aspect).  The lists are provided with 
> Linux style password hashes.  
> The first section runs only on Linux hosts and takes the hash as is.  
> The second one runs only on aix and replaces password={{item.password}} 
> with password={{item.password | replace("$1$", "{smd5}") | replace("$5$", 
> "{ssha256}") | replace("$6$", "{ssha512}") }} 
>
> This replaces the linux style encryption identifier $[1|5|6]$ with the AIX 
> equivalent {s[md5|sha256|sha512]}
>
> Adam
>
> On Tuesday, January 7, 2014 12:10:43 PM UTC-8, Romeo Theriault wrote:
>>
>> On Tue, Jan 7, 2014 at 7:47 AM, Adam Morris <zwac...@gmail.com> wrote:
>>
>>>
>>>
>>> On Monday, January 6, 2014 4:33:57 PM UTC-8, Romeo Theriault wrote:
>>>>
>>>> Not sure I'm going to answer your question but I'd recommend that you 
>>>> use the highest level of password encryption your version of unix 
>>>> supports. 
>>>> On modern Linux boxes this is SHA512. I'm not sure about AIX. I don't 
>>>> *believe* openssl passwd allows you to generate SHA512 encrypted 
>>>> passwords. 
>>>> I use the python library passlib [1] for this.  Easy enough to do:
>>>>
>>>  
>>> Thanks Romeo, AIX can handle SMD5, SHA-256 and SHA-512... (plus blowfish 
>>> on the server I checked).  so I could say that we should use SHA-512 going 
>>> forward.  That still leaves me with the question as to how I handle them... 
>>>  Do I store an AIX password and a Linux password for every user, do I munge 
>>> the passwords when I use them, or do I add a potentially ugly hack to 
>>> Ansible that would take care of the issue?
>>>
>>> I'm leaning towards the second option myself...  It's not entirely 
>>> clean, but it does seem like a reasonable way to go.
>>>
>>
>> If like you suggested AIX passwords just have something prepended to them 
>> I'd just store one SHA512 password and interpolate the needed prefix on the 
>> AIX boxes. 
>>
>> -- 
>> Romeo
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/18a20fc2-5053-400d-bb8c-5f5a94c9c3a7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to